﻿<%
Query_String=Request.QueryString
Request_Form = Request.Form

'On Error Resume Next
Dim strTemp

If LCase(Request.ServerVariables("HTTPS")) = "off" Then
	strTemp = "http://"
Else
	strTemp = "https://"
End If

strTemp = strTemp & Request.ServerVariables("SERVER_NAME")
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")

strTemp = strTemp & Request.ServerVariables("URL")

If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)

strTemp = LCase(strTemp)


If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,"union") or Instr(strTemp,"net%20user") or Instr(strTemp,"%20or%20") or Instr(strTemp,"%20and%20")  Then
	IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If IP="" Then
		IP=Request.ServerVariables("remote_addr")
	End If
	Set objfilesys=Server.CreateObject("scripting.filesystemobject")
	Set objstream=objfilesys.openTextFile("c:\xiaofm\sqlinject\sqlinject_log.txt",8)
	objstream.writeLine(now()&IP&"|"&strTemp)
	Set objfilesys=Nothing
	Set objstream=Nothing
	Response.Write "<script language='javascript'>"
	Response.Write "alert('非法地址!');"
	Response.Write "location.href='index.asp';"
	Response.Write "</script>"	
	Response.End
End If

Dim items
Dim nothis(17) 
nothis(0)="net user" 
nothis(1)="xp_cmdshell" 
nothis(2)="/add" 
nothis(3)="exec%20master.dbo.xp_cmdshell" 
nothis(4)="net localgroup administrators" 
nothis(5)="select " 
nothis(6)="count(" 
nothis(7)="asc " 
nothis(8)="char(" 
nothis(9)="mid " 
nothis(10)="|" 
nothis(11)=" and " 
nothis(12)="''" 
nothis(13)="insert " 
nothis(14)="delete " 
nothis(15)="drop " 
nothis(16)="truncate " 
nothis(17)="from " 
'nothis(18)="%"
'nothis(19)="@"  

For i= 0 to ubound(nothis) 
  For each items in request.Form
  If instr(request.Form(items),nothis(i))<>0 Then 
   	IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	If IP="" Then
		IP=Request.ServerVariables("remote_addr")
	End If
	Set objfilesys=Server.CreateObject("scripting.filesystemobject")
	Set objstream=objfilesys.openTextFile("c:\xiaofm\sqlinject\sqlinject_log.txt",8)
	objstream.writeLine(now()&IP&"|"&strTemp&request.Form(items))   'to be do
	Set objfilesys=Nothing
	Set objstream=Nothing
	Response.Write "<script language='javascript'>"
	Response.Write "alert('资料含有非法字!');"
	Response.Write "location.href='index.asp';"
	Response.Write "</script>"	
	Response.End
  End If 
  Next
Next 
%>